[Bug 13104] New: NULL deref do_server_sender when argc=0

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 13104] New: NULL deref do_server_sender when argc=0

Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=13104

            Bug ID: 13104
           Summary: NULL deref do_server_sender when argc=0
           Product: rsync
           Version: 3.1.3
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

Created attachment 13732
  --> https://bugzilla.samba.org/attachment.cgi?id=13732&action=edit
patch to handle argc == 0

$ bin/rsync --version
rsync  version 3.1.3dev  protocol version 31

this exist in 3.1.2 as well.

rsyncd reads in arguments from the connecting client. These are parsed in
parse_arguments.parse_arguments parses what it can via popt, and increments
argv and decrements argc to reflect the consumed values.

The problem is that do_server_sender is expecting at least 1 argument to use as
dir

786     char *dir = argv[0];

When there are no arguments in argv this leads a a NULL deref.

ASAN:SIGSEGV
=================================================================
==7407==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000453662 bp 0x7fffffffae90 sp 0x7fffffffae50 T0)
    #0 0x453661 in do_server_sender /home/raj/rsync/rsync/main.c:786
    #1 0x4556a0 in start_server /home/j/rsync/rsync/main.c:1110
    #2 0x4b202a in rsync_module /home/j/rsync/rsync/clientserver.c:1007
    #3 0x4b2a49 in start_daemon /home/j/rsync/rsync/clientserver.c:1135
    #4 0x48f56e in start_accept_loop /home/j/rsync/rsync/socket.c:618
    #5 0x4b320a in daemon_main /home/j/rsync/rsync/clientserver.c:1237
    #6 0x4582da in main /home/j/rsync/rsync/main.c:1627
    #7 0x7ffff64d866f in __libc_start_main (/lib64/libc.so.6+0x2066f)
    #8 0x4047c8 in _start (/home/j/rsync/asan/bin/rsync+0x4047c8)

The attached patch will check for argc == 0 and exit_cleanup.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 13104] NULL deref do_server_sender when argc=0

Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=13104

Wayne Davison <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Wayne Davison <[hidden email]> ---
Committing a fix to git now.  Thanks!

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html